[opensource-dev] Known details of LL 'Firefly' client-side scripting

[Morgaine]

Oh dear, I may see the problem.  Mailmain/pipermail seems to be slicing
posts on a leading 'From ' as if incoming posts were in Unix mailbox format
(they're not!), a very elementary mistake.  Any Lindens reading this, please
give the mail/web sysadmins a heads-up.

Meanwhile, it's just a guess, but don't start paragraphs with 'From ' folks.

Morgaine.





=================================

On Wed, Mar 17, 2010 at 8:43 PM, Morgaine <morgaine.dinova at googlemail.com>wrote:

> [Mailmain/pipermail is slicing up posts again in the M/L archive.  I'll try
> a repost.]
>
>
>
> Argent is exactly right.
>
> From sitting in on these OHs, the intention that has come across (but with
> some ambiguity) is definitely that binaries will be pushed to our clients
> and executed, even if this involves some action in-world.  Whatever the
> mechanism of transfer, these binaries are inherently untrusted and
> untrustworthy by inspection.  If you choose to assign your trust to them,
> that is your own personal lookout.
>
> Note that this situation is *NOT* like on the Web, where Javascript is
> sent to browsers as *source code* which is available for inspection by
> anyone who cares to do it.  Because of the possibility of inspection, the
> Web enjoys the "many eyeballs" effect that allows browsers to flag sites as
> malicious.  There will be no such protections here, because the distributed
> binaries are opaque.
>
> The mere idea that opaque binaries are being sent to people and executed
> locally on their PCs should be enough to send shivers down everyone's spine,
> even if they're only minimally aware of security.  From our technical and
> open source perspective here, which is after all what opensource-dev is all
> about, it's just completely unacceptable.
>
> Designing script execution to run on LL's servers is wholly within Linden
> rights to do in secret.  Designing script execution to run *on OUR private
> machines* is NOT within Linden rights to do in secret at all.
>
>
> Morgaine.
>
>>
>>
>>
>>
>>
>> ==================================
>>
>>
>> On Wed, Mar 17, 2010 at 6:45 PM, Argent Stonecutter <
>> secret.argent at gmail.com> wrote:
>>
>>> On 2010-03-17, at 12:31, Dzonatas Sol wrote:
>>> > You install a program on your computer, and you either trust it or
>>> > you don't. It comes down to that, so it doesn't matter if it is .NET
>>> > or Java or some binary made by company XYZZY.
>>>
>>> The quotes from the office hours make it seem like they're talking
>>> about having in-world content pushing stuff onto your client, not
>>> explicitly installing code.
>>>
>>> _______________________________________________
>>> Policies and (un)subscribe information available here:
>>> http://wiki.secondlife.com/wiki/OpenSource-Dev
>>> Please read the policies before posting to keep unmoderated posting
>>> privileges
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.secondlife.com/pipermail/opensource-dev/attachments/20100317/73c8f69e/attachment.htm